Overview

overview

10

Static

static

1

linux_hive.elf

ubuntu-20.04-amd64

10

Resubmissions

03-03-2024 12:53

240303-p4l89sbc38 10

03-03-2024 12:52

240303-p34f6aag4v 10

Analysis

  • max time kernel
    21s
  • max time network
    24s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240221-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    03-03-2024 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    linux_hive.elf

  • Size

    2.3MB

  • MD5

    56075e7c63b3f9f612cde6187d4a7877

  • SHA1

    1bcfa979b7b9044ba5ce5c006bd26b0bdbeb8464

  • SHA256

    12389b8af28307fd09fe080fd89802b4e616ed4c961f464f95fdb4b3f0aaf185

  • SHA512

    7df68e37b3c2e7ce197f0d8736d06adf808343fe2d638bcd3e0f285968e1365c06b33157c6e5816b9fa9362e6adc262d3d2da45d3d1a38efb7e2ce980fce8b80

  • SSDEEP

    49152:TzVcrxrb/TGvO90dL3BmAFd4A64nsfJbJ5PhTZDknzImQXNqw0Xfgg778lwQJKTS:TcbP/kB30JKT

Score
10/10
hiveransomware

Malware Config

Extracted

Path

/FVUV_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: FqRAvHSSJR6Z Password: fWqzu3Kqd31FWKUvb5rq To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.mrvk3 files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive
  • Deletes itself 1 IoCs
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads CPU attributes 1 TTPs 17 IoCs
  • Reads hardware information 1 TTPs 1 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Reads network interface configuration 2 TTPs 12 IoCs

    Fetches information about one or more active network interfaces.

  • Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 7 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/linux_hive.elf
    /tmp/linux_hive.elf
    1⤵
    • Reads CPU attributes
    • Reads hardware information
    • Reads network interface configuration
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    PID:1466

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

System Network Connections Discovery

1
T1049

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • /FVUV_HOW_TO_DECRYPT.txt
    Filesize

    1KB

    MD5

    88cb43b9893d9559fcd7c2ff92198346

    SHA1

    10f5b6704bf62d54b6928456dfd5127fcb16a936

    SHA256

    36b00b82b942515e84d145a88bc7bbe9f59773bd8e3c4d9639dd2e3ffc4bb2e6

    SHA512

    48f7b52fa640ac38a8a0e2216c0cfd848ef704c23cd59723b7fb0f5e83da455ff75701a40e8ede99156cdfc8aef0ec6246de0d4afd7fdbe21051bef1eed63224

    Download Submit
  • /fLRc4FvNpND2-X2GIeaRU-RZioMm9pu9ejSAnSrQ5Zb_.key.mrvk3
    Filesize

    1.2MB

    MD5

    e3bdddfb23369bd6da22e86ca23ec5cf

    SHA1

    80126912b5be4be9cce1c7717b102ca10a863b81

    SHA256

    d3c35dc042d17717154bca5a47478304589db2ccec2ab3c896c59af2a0d775ea

    SHA512

    d3b6f70c7ca453c883c74867acb3121a0f2c0991773cf13b02ff0666e4411675529f0b6217187517c6a6cddd14870a1c5d1294868b35e2d72b282260b3510c6b

    Download Submit